When the history of the connected car is written, this week may go down as a pivotal moment for consumers worried about security.
That is because a pair of technology researchers said that they had wirelessly hacked a Jeep Cherokee through its Internet-connected system, allowing them to take control of critical components like the engine, brakes and even steering under certain conditions.
The revelation left automakers scrambling to reassure their customers that security was a top priority, and Fiat Chrysler said that a software patch it had released a week earlier was designed to plug the hole used by the same two researchers, who had alerted the company before going public.
ADVERTISEMENT
But the breach showed just how vulnerable the new breeds of Web-connected vehicles can be, and the challenges that manufacturers face in defending against the types of attacks common in other technology fields.
“Customers are demanding new capabilities and more technology, so the risk is only going to increase for vehicles,” said Jon Allen, a Web security expert at Booz Allen Hamilton. Auto manufacturers, he said, “know they need to get ahead of this from a security perspective.”
Such a Web-enabled threat is relatively new for the industry: Complex computer software has been used for years to power cars’ performance, but those computerised brains were always walled off inside the cars themselves; they were not connected to the wider world. For example, when the same researchers, Charlie Miller and Chris Valasek, hacked into a Ford Escape in 2013, they could do so only by plugging a cord directly into the vehicle.
ADVERTISEMENT
Now, the need for a cord is gone. About 27 million vehicles worldwide are now connected to the Internet, and that number is predicted to triple by 2022, to more than 82 million, according to IHS Automotive.
“The reality is that this is something that needs to be on the forefront of the industry’s radar,” said Akshay Anand, an analyst at Kelley Blue Book. “It’s not talked about as much as it should be.”
A video and article posted by the technology news site Wired showed just how helpless a driver would be in a hacking attack.
As the Jeep Cherokee barreled down a St. Louis highway at about 110 kmph, the driver, who participated in the experiment, was rendered helpless to control the air conditioning fan, radio, windshield wipers and the car’s digital display. The two hackers, sitting with a laptop in a basement 16 km away, took control of them all, even cutting the engine at one point and bringing the Jeep to a stop as traffic whizzed by. Later, they also cut the brakes.
Valasek, in an interview, said he and Miller spent nearly two years trying to crack the puzzle. Chrysler, like many automakers, has said it designs its entertainment and wireless connectivity system to be separate from the system that controls automotive functions of the car, like the engine and brakes. But the two men have proved that a bridge from one to the other is possible.
“Probably to them it was two separate things,” Valasek said, referring to Chrysler’s engineers. “But people like us think differently, and we thought how it could work until we found the way.”
The pair’s hacking technique is not applicable only to Jeeps, Valasek said. It could have been used on any Fiat Chrysler vehicle using its Uconnect entertainment and wireless connectivity system.
“Five years ago, the auto industry did not consider cybersecurity as a near-term problem,” said Egil Juliussen, senior analyst and research director with IHS Automotive. “This view has changed.”
Fiat Chrysler said that it “monitors and tests the information systems of all of its products to identify and eliminate vulnerabilities in the ordinary course of business.” The company said that its new software patch had closed the security hole the two men had identified.
Other automakers sought to reassure their customers as well.
Allen, the Web security expert with Booz Allen Hamilton, said automakers would most likely have to develop some kind of safe, “disconnected” mode that drivers could immediately revert to if a threat were flagged, so the vehicle would be cut off from the Web.
He said that as new features were introduced and software updates offered, consumers should also get more control over whether they want to use them.
“Just as now I can decide, 'Do I want to upload my credit card to my iPhone?' I should get to decide, 'Is this something I want to upload in my vehicle?'” he said. -The New York Times News Service